This Week in Cybercrime: State Court Hack Punishes the Guilty and the Innocent

Up to a Million Washington Residents Affected by Hack of State Court Network

It’s likely that most of the people charged with crimes in Washington State between September 2011 and December 2012 have already been exonerated or have paid their respective debts to society. But for roughly a million of them (at least some of whom were found not guilty at trial, established their innocence before their cases went that far—or were in court simply to fight a traffic ticket) that moment of contact with the state’s court system may lead to another punishment: identity theft. The state government revealed this week that the website for the Washington State Administrative Office of the Courts was hacked and that the attacker may have gotten away with the names and social security numbers of anyone booked into a city or county jail in the state during that time. Officials also couldn’t rule out the possibility that some people charged in the state's superior court criminal system in 2011 or 2012, cited for driving under the influence between 1989 and 2011, or went to court for traffic-related offenses during that period might be at risk. The larger group's names and driver's license information may have been taken.

"The access occurred through a ‘back door' part of a commercial software product [Adobe Systems’ ColdFusion] we were using, and it is patched now," Mike Keeling, information technology operations and maintenance manager for the court system, told reporters on a conference call.

At the same time that state officials were offering up the usual assurances that no financial data such as credit card numbers was accessed as a result of the break-in, they revealed that the breach was discovered in February (and could have been exploited as early as last fall). Since then, the state has attempted to notify only the 94 people (that is not a typo) whose information they could absolutely confirm was taken. Of their delay in reporting the incident, the government employees insisted that they didn’t initially think any confidential personal details had been stolen—despite the fact that a large volume of data had been downloaded through the backdoor. "We regret that this breach has occurred and we have taken immediate action to enhance the security of these sites," Callie T. Dietz, the state’s court administrator, said in a written statement. Dietz also offered this fun fact: The break-in was the first time the court system’s network had been hacked. Hurray! Trophies and orange slices for everyone on the team!

Listeners Got Free Downloads With Software that Modified Spotify

Spotify, the second leading source of digital music revenue raked in by the major record labels (behind Apple’s iTunes), scrambled to close a gaping security hole that allowed users to download MP3 music files for free. A new Google Chrome browser extension called Downloadify, which had been available at the Chrome Web Store until Google removed it this week, contained code that let Spotify users download a DRM-free copy of any song they played via the site. “It is effectively stealing,” Sheena Sheikh, an intellectual property attorney, told the BBC. “You are committing an infringement. You’re not authorized to download the songs. You don’t have permission.” Downloadify’s developer says he does not plan to update the code in response to Spotify’s security updates.

Washington, D.C. Media Sites Pawns in Watering Hole Attacks

It came out this week that the websites of several Washington, D.C.-area media outlets have become pawns in so-called watering hole attacks aimed at scaring people into downloading phony antivirus software that gives the cybercriminal control over the user’s machine. Attackers took advantage of vulnerabilities in Java or Adobe browser plug-ins used on the websites of local radio station WTOP, Federal News Radio, and technology blogger John Dvorak. The sites were seeded with exploits that redirected visitors to page designed to upload a scareware executable called Amsecure.

Though the source of the attacks on WTOP and Federal News Radio has not been determined, security researchers with Invincea say they induced an attack from the malware infecting Dvorak’s site. They reported that when they went to Dvorak’s site using the Internet Explorer browser, IE automatically downloaded a Java application from the attacker’s site that redirected the browser to one of two malicious Russian domains. Once there, Amsecure and its threatening messages began downloading to the machine, and the site set up a desktop shortcut making it easier for a terrified user to unwittingly make the situation worse.

Kaspersky Lab’s Threatpost says that an admin for the Dvorak site posted a note indicating that malware had been discovered in the main configuration file for site’s WordPress content management system. “Given the amount of attention WordPress has received both recently and historically by miscreants seeking to hijack legitimate websites in order to drive user traffic to malware landing pages, this came as no surprise to us,” Invincea security engineer Eddie Mitchell told Threatpost. Unfortunately, it apparently came as a surprise to the administrators of the affected sites.

Who Wrote the Book on Cybercrime?

Once upon a time, the U.S. National Security Agency (NSA) wanted to make government operatives more efficient at digging up information online. So it produced a book chock full of tips and tricks. And it was a big book. The 643-page how-to manual, called Untangling the Web: A Guide to Internet Research (.pdf), includes a chapter called “Google Hacking” that focuses on taking advantage of misconfigured web servers “that list the contents of directories not intended to be on the web [but] offer a rich load of information to Google hackers,” The online guidebook for spies was made public by the NSA in response to a freedom of information request by MuckRock, a site that charges fees to process public records for activists and others.

The authors preface their instructions with this disclaimer: “Nothing I am going to describe to you is illegal, nor does it in any way involve accessing unauthorized data…[instead it] involves using publicly available search engines to access publicly available information that almost certainly was not intended for public distribution.” But a Wired article reminds us that this was the exact activity for which Andrew “weev” Aurenheimer was recently sentenced to 3.5 years in prison. Aurenheimer was convicted of hacking for using similar methods to publicly accessible information from AT&T’s website.

Anyone concerned about the NSA laying bare what it’s currently up to needn’t worry. The spy agency released an old version of the manual detailing the methods it was using back in 2007. In any event, it could probably help companies and individuals see which vulnerabilities attract the most attention and aid them in stepping up their online security.

And in other cybercrime news…

The U.S. government arrested seven people in connection with a string of high-tech bank robberies. The hauls—40 000 withdrawals in 27 countries—allegedly netted a total of $45 million. Federal prosecutors say that within hours after the culprits hacked into credit card processors in the United Arab Emirates and Oman and eliminated the maximum withdrawal limits for debit card transactions, the crew dispatched accomplices to withdraw money from ATMs around the world using stolen MasterCard data. In one instance, thieves walked away with $2.4 million siphoned from 3000 ATMs in New York over a 10-hour period